Critical Vulnerability in Windows IIS – HTTP.sys PoC (MS15-034)

From Microsoft’s warning is not clear what the vulnerability is, but you can see that this is critical, and the vulnerability must be patched, especially on public facing Windows IIS Servers:

A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account.

To exploit this vulnerability, an attacker would have to send a specially crafted HTTP request to the affected system. The update addresses the vulnerability by modifying how the Windows HTTP stack handles requests.

You can see a prototype test for the vulnerability here at Exploit-DB

This security update is rated Critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. For more information and patch download, see the Affected Software section here at Microsoft.

Update 28th April 2015:
Awesome analysis of this vulnerability by Mike Czumak here.

Leave a Reply

Your email address will not be published. Required fields are marked *